Timeline :

Vulnerability patched by Oracle in 2012 October CPU
Vulnerability discovered exploited in the wild by kafeine the 2012-11-09First Metasploit PoC provided the 2012-11-11
Second Metasploit PoC provided the 2013-01-22

PoC provided by :

Reference(s) :

Affected version(s) :

Oracle Java version 7 Update 7 and earlier.

Tested on Windows 8 Pro with :

Internet Explorer 10
Oracle Java 7 Update 7

Description :

This module abuses the AverageRangeStatisticImpl from a Java Applet to run arbitrary Java code outside of the sandbox, a different exploit vector than the one exploited in the wild in November of 2012. The vulnerability affects Java version 7u7 and earlier.

As you may known Oracle Java SE 6 major release will be end-of-life (EOL), or more precisely Oracle will no more release public updates, after February 2013. But Oracle customers could buy a commercial support for Oracle Java SE 6 in order to have support until December 2016 and more. Also Oracle will force update to JSE 7 through an auto-update process who will start in December 2012 (wasn’t I forced to update in July ?).

Oracle has release his new Java SE 7 major release since July 2011 and push users to update to JSE 7 since the release of JSE 6U33 minor release.

The median CVSS score for the 58 vulnerabilities was 7.5, 31 (53,45%) of them had a CVSS score upper than 7.0, 21 (36,21%) of them had a CVSS score upper to 4.0 to 6.9, and 6 (10,34%) of them had a CVSS score from 0.0 to 3.9.

CVE-2012-4681 was discovered exploited in the wild at end of August, targeting JSE 7 and JSE 6, and has force Oracle to push an out-of-band patch. CVE-2012-5076 was discovered exploited in the wild in November, targeting JSE 7, but was already patched during October CPU.

CVE-2012-0500, targeting JSE 7 and JSE 6, was fixed during February CPU, the 14th, and the vulnerability was integrated into Metasploit the 23 February after details disclosure by a white hat security researcher. CVE-2012-0507, JSE 7 and JSE 6, was also fixed during February CPU, the 14th, and the vulnerability was integrated into Metasploit the 29 March after details disclosure by a white hat security researcher. CVE-2012-1723, JSE 7 and JSE 6, was fixed during June CPU, the 12th, and the vulnerability was integrated into Metasploit the 9 July after details disclosure by a white hat security researcher.

On the 58 vulnerabilities patched in 2012 CPU’s and alerts, 100% of them were targeting JSE 7 and 84,48% (49) were targeting JSE 6. On the total 5 public exploits, 4 of them are targeting JSE 7 and 6, and the last one is targeting only JSE 7.

The ability to disable any Java application from running in the browser. This mode can be set in the Java Control Panel or (on Microsoft Windows platform only) using a command-line install argument.

The ability to select the desired level of security for unsigned applets, Java Web Start applications, and embedded JavaFX applications that run in a browser. Five levels of security are supported, plus a custom security level settings. This feature can be set in the Java Control Panel or (on Microsoft Windows platform only) using a command-line install argument.

New dialogs to warn you when the JRE is insecure (either expired or below the security baseline) and needs to be updated.

Take care in some upgrade cases from JSE 6 to JSE 7, the Java Control Panel has disappear from the Windows Control Panel. If it is the case, you have to explore C:\Program Files\Java\jre7\bin Windows folder and execute javacpl.exe binary.

Regarding the security levels, the five levels are:

Custom: You can customize all the security settings based on you’re needs.

Low: Most unsigned Java apps in the browser will run without prompting unless they request access to a specific old version or to protected resources on the system.

Medium: Default security level. Unsigned Java apps in the browser will run without prompting only if the Java version is considered secure (screenshot bellow). You will be prompted if an unsigned app requests to run on an old version of Java.

High: You will be prompted before any unsigned Java app runs in the browser (screenshot bellow).

Very High: You will be prompted before any Java app runs in the browser. If your version of Java is insecure, unsigned apps will not run.

Java SE 7 is really immature, regarding the number of vulnerabilities and existing bugs, but Oracle don’t give user the choice. You have to migrate to JSE 7. So bye bye JSE 6.